CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV
CISA has added a critical Microsoft SharePoint Server zero-day vulnerability (CVE-2026-58644) to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch it by July 19, 2026, due to active exploitation.
Intelligence analysis by Gemini 2.5 Flash

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to address a critical, actively exploited remote code execution (RCE) vulnerability in Microsoft SharePoint Server. This zero-day flaw, CVE-2026-58644, allows unauthorized attackers to execute arbitrary code with low complexity, posing a significant threat to on-premise…
Imagine your school's digital locker system, SharePoint, has a secret back door that bad guys found and are using. This secret door lets them sneak in and mess with things, even put their own secret notes inside. The grown-ups in charge of computer safety, CISA, found out and are telling everyone to quickly put a strong lock on that back door before more bad guys get in.
Analysis
The Critical SharePoint Zero-Day
The vulnerability, identified as CVE-2026-58644, carries a CVSS score of 9.8, indicating its severe impact. Microsoft describes it as a critical deserialization of untrusted data flaw that enables an unauthorized attacker, authenticated as at least a Site Owner, to inject and execute arbitrary code remotely on a SharePoint Server. This means that once an attacker gains a basic level of access, they can leverage this flaw to take full control of the server.
Microsoft's advisory explicitly states that the vulnerability is remotely exploitable over the internet, making it a high-risk target for threat actors. A key concern highlighted by Microsoft is the low attack complexity associated with CVE-2026-58644. Attackers do not require extensive prior knowledge of the system, and they can achieve repeatable success with their payloads against the vulnerable component. This ease of exploitation significantly lowers the bar for malicious actors, increasing the likelihood of widespread attacks. The flaw impacts multiple versions of SharePoint Server, including Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, affecting a broad range of enterprise deployments.
CISA's Urgent Mandate and Broader Context
CISA's decision to add CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog underscores the severity and active threat posed by this flaw. The KEV catalog is reserved for vulnerabilities that have been confirmed to be exploited in the wild, signaling an immediate and critical risk. Federal Civilian Executive Branch (FCEB) agencies are now required to apply the necessary patches by July 19, 2026, a tight deadline reflecting the urgency of the situation. This directive aims to protect critical government infrastructure from ongoing attacks.
The agency's warning extends beyond just CVE-2026-58644, encompassing active exploitation of several other SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. These combined flaws enable threat actors to gain unauthorized access, establish remote code execution, and perform post-exploitation activities such as stealing Internet Information Services (IIS) machine keys and deploying malware. This indicates a coordinated effort by attackers to compromise SharePoint environments, leveraging multiple weaknesses for persistence and broader impact.
Essential Hardening Measures
To counter these threats, CISA has provided a comprehensive set of hardening measures. The primary recommendation is to apply the latest patches and security updates from Microsoft promptly and verify their successful installation, emphasizing the need to shorten patching cycles. Beyond patching, CISA advises enabling Antimalware Scan Interface (AMSI) integration for all SharePoint web applications, which helps detect and block malicious activity.
Furthermore, agencies are urged to scan for and remove intrusion artifacts, including machine key harvesting tools, before rotating IIS machine keys to prevent their theft. Establishing tailored logging mechanisms is crucial for detecting and monitoring exploitation activities effectively. Finally, CISA recommends avoiding direct exposure of SharePoint Servers to the internet unless absolutely necessary, blocking external access to SharePoint Central Administration, restricting farm and database communications to essential systems, and reviewing Microsoft's detailed security-hardening guidance for role-specific configurations. These measures collectively aim to create a more resilient SharePoint environment against sophisticated attacks.
Key points
- CISA added Microsoft SharePoint Server zero-day CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog.
- The critical deserialization flaw (CVSS 9.8) allows authenticated attackers to execute arbitrary code remotely.
- Microsoft confirmed active exploitation of the vulnerability in the wild prior to patches released on July 14, 2026.
- Federal agencies must apply fixes by July 19, 2026, as part of a broader warning about multiple exploited SharePoint flaws.
- CISA recommends applying patches, enabling AMSI, rotating IIS machine keys, enhancing logging, and restricting internet exposure for SharePoint servers.
The rapid identification and patching of this zero-day, coupled with CISA's urgent directive and comprehensive hardening guidance, could significantly reduce the window of opportunity for attackers. If federal agencies and other organizations promptly implement these measures, the widespread impact of this vulnerability could be mitigated, enhancing overall enterprise security posture against similar threats.
Despite the patches and warnings, the low attack complexity and active exploitation in the wild suggest that many organizations might still fall victim if they delay patching or fail to implement the recommended hardening measures. The exploitation of multiple SharePoint vulnerabilities simultaneously indicates a sophisticated threat landscape, potentially leading to widespread data breaches and system compromises for unprepared entities.



